Home Explore Help
Sign In
lenn
/
grpc1.45.2
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
grpc1.45.2
/
test
/
core
/
security
/
xds_credentials_test.cc

xds_credentials_test.cc 12 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304 
  1. //
    2. 

  2. //
    3. 

  3. // Copyright 2020 gRPC authors.
    4. 

  4. //
    5. 

  5. // Licensed under the Apache License, Version 2.0 (the "License");
    6. 

  6. // you may not use this file except in compliance with the License.
    7. 

  7. // You may obtain a copy of the License at
    8. 

  8. //
    9. 

  9. //     http://www.apache.org/licenses/LICENSE-2.0
    10. 

  10. //
    11. 

  11. // Unless required by applicable law or agreed to in writing, software
    12. 

  12. // distributed under the License is distributed on an "AS IS" BASIS,
    13. 

  13. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14. 

  14. // See the License for the specific language governing permissions and
    15. 

  15. // limitations under the License.
    16. 

  16. //
    17. 

  17. //
    18. 

  18. 

  19. #include "src/core/lib/security/credentials/xds/xds_credentials.h"
    20. 

  20. 

  21. #include <gtest/gtest.h>
    22. 

  22. 

  23. #include <grpc/grpc.h>
    24. 

  24. 

  25. #include "test/core/util/test_config.h"
    26. 

  26. 

  27. namespace grpc_core {
    28. 

  28. namespace testing {
    29. 

  29. 

  30. namespace {
    31. 

  31. 

  32. StringMatcher ExactMatcher(const char* string) {
    33. 

  33.   return StringMatcher::Create(StringMatcher::Type::kExact, string).value();
    34. 

  34. }
    35. 

  35. 

  36. StringMatcher PrefixMatcher(const char* string, bool case_sensitive = true) {
    37. 

  37.   return StringMatcher::Create(StringMatcher::Type::kPrefix, string,
    38. 

  38.                                case_sensitive)
    39. 

  39.       .value();
    40. 

  40. }
    41. 

  41. 

  42. StringMatcher SuffixMatcher(const char* string, bool case_sensitive = true) {
    43. 

  43.   return StringMatcher::Create(StringMatcher::Type::kSuffix, string,
    44. 

  44.                                case_sensitive)
    45. 

  45.       .value();
    46. 

  46. }
    47. 

  47. 

  48. StringMatcher ContainsMatcher(const char* string, bool case_sensitive = true) {
    49. 

  49.   return StringMatcher::Create(StringMatcher::Type::kContains, string,
    50. 

  50.                                case_sensitive)
    51. 

  51.       .value();
    52. 

  52. }
    53. 

  53. 

  54. StringMatcher SafeRegexMatcher(const char* string) {
    55. 

  55.   return StringMatcher::Create(StringMatcher::Type::kSafeRegex, string).value();
    56. 

  56. }
    57. 

  57. 

  58. TEST(XdsSanMatchingTest, EmptySansList) {
    59. 

  59.   std::vector<const char*> sans = {};
    60. 

  60.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    61. 

  61.       sans.data(), sans.size(),
    62. 

  62.       {ExactMatcher("a.example.com"), ExactMatcher("b.example.com")}));
    63. 

  63. }
    64. 

  64. 

  65. TEST(XdsSanMatchingTest, EmptyMatchersList) {
    66. 

  66.   std::vector<const char*> sans = {"a.example.com", "foo.example.com"};
    67. 

  67.   EXPECT_TRUE(
    68. 

  68.       TestOnlyXdsVerifySubjectAlternativeNames(sans.data(), sans.size(), {}));
    69. 

  69. }
    70. 

  70. 

  71. TEST(XdsSanMatchingTest, ExactMatchIllegalValues) {
    72. 

  72.   std::vector<const char*> sans = {".a.example.com"};
    73. 

  73.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    74. 

  74.       sans.data(), sans.size(),
    75. 

  75.       {ExactMatcher(""), ExactMatcher("a.example.com"),
    76. 

  76.        ExactMatcher(".a.example.com")}));
    77. 

  77.   sans = {""};
    78. 

  78.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    79. 

  79.       sans.data(), sans.size(),
    80. 

  80.       {ExactMatcher(""), ExactMatcher("a.example.com"),
    81. 

  81.        ExactMatcher(".a.example.com")}));
    82. 

  82.   sans = {"a.example.com"};
    83. 

  83.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    84. 

  84.       sans.data(), sans.size(),
    85. 

  85.       {ExactMatcher(""), ExactMatcher("a.example.com"),
    86. 

  86.        ExactMatcher(".a.example.com")}));
    87. 

  87. }
    88. 

  88. 

  89. TEST(XdsSanMatchingTest, ExactMatchDns) {
    90. 

  90.   std::vector<const char*> sans = {"a.example.com"};
    91. 

  91.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    92. 

  92.       sans.data(), sans.size(), {ExactMatcher("a.example.com")}));
    93. 

  93.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    94. 

  94.       sans.data(), sans.size(), {ExactMatcher("b.example.com")}));
    95. 

  95.   sans = {"b.example.com."};
    96. 

  96.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    97. 

  97.       sans.data(), sans.size(), {ExactMatcher("a.example.com.")}));
    98. 

  98.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    99. 

  99.       sans.data(), sans.size(), {ExactMatcher("b.example.com.")}));
    100. 

  100. }
    101. 

  101. 

  102. TEST(XdsSanMatchingTest, ExactMatchWithFullyQualifiedSan) {
    103. 

  103.   std::vector<const char*> sans = {"a.example.com."};
    104. 

  104.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    105. 

  105.       sans.data(), sans.size(), {ExactMatcher("a.example.com")}));
    106. 

  106.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    107. 

  107.       sans.data(), sans.size(), {ExactMatcher("b.example.com")}));
    108. 

  108. }
    109. 

  109. 

  110. TEST(XdsSanMatchingTest, ExactMatchWithFullyQualifiedMatcher) {
    111. 

  111.   std::vector<const char*> sans = {"a.example.com"};
    112. 

  112.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    113. 

  113.       sans.data(), sans.size(), {ExactMatcher("a.example.com.")}));
    114. 

  114.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    115. 

  115.       sans.data(), sans.size(), {ExactMatcher("b.example.com.")}));
    116. 

  116. }
    117. 

  117. 

  118. TEST(XdsSanMatchingTest, ExactMatchDnsCaseInsensitive) {
    119. 

  119.   std::vector<const char*> sans = {"A.eXaMpLe.CoM"};
    120. 

  120.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    121. 

  121.       sans.data(), sans.size(), {ExactMatcher("a.example.com")}));
    122. 

  122.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    123. 

  123.       sans.data(), sans.size(), {ExactMatcher("a.ExAmPlE.cOm")}));
    124. 

  124. }
    125. 

  125. 

  126. TEST(XdsSanMatchingTest, ExactMatchMultipleSansMultipleMatchers) {
    127. 

  127.   std::vector<const char*> sans = {"a.example.com", "foo.example.com",
    128. 

  128.                                    "b.example.com"};
    129. 

  129.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    130. 

  130.       sans.data(), sans.size(),
    131. 

  131.       {ExactMatcher("abc.example.com"), ExactMatcher("foo.example.com"),
    132. 

  132.        ExactMatcher("xyz.example.com")}));
    133. 

  133. }
    134. 

  134. 

  135. TEST(XdsSanMatchingTest, ExactMatchWildCard) {
    136. 

  136.   std::vector<const char*> sans = {"*.example.com"};
    137. 

  137.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    138. 

  138.       sans.data(), sans.size(), {ExactMatcher("a.example.com")}));
    139. 

  139.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    140. 

  140.       sans.data(), sans.size(), {ExactMatcher("fOo.ExAmPlE.cOm")}));
    141. 

  141.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    142. 

  142.       sans.data(), sans.size(), {ExactMatcher("BaR.eXaMpLe.CoM")}));
    143. 

  143.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    144. 

  144.       sans.data(), sans.size(), {ExactMatcher(".example.com")}));
    145. 

  145.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    146. 

  146.       sans.data(), sans.size(), {ExactMatcher("example.com")}));
    147. 

  147.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    148. 

  148.       sans.data(), sans.size(), {ExactMatcher("foo.bar.com")}));
    149. 

  149. }
    150. 

  150. 

  151. TEST(XdsSanMatchingTest, ExactMatchWildCardDoesNotMatchSingleLabelDomain) {
    152. 

  152.   std::vector<const char*> sans = {"*"};
    153. 

  153.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    154. 

  154.       sans.data(), sans.size(), {ExactMatcher("abc")}));
    155. 

  155.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    156. 

  156.       sans.data(), sans.size(), {ExactMatcher("abc.com.")}));
    157. 

  157.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    158. 

  158.       sans.data(), sans.size(), {ExactMatcher("bar.baz.com")}));
    159. 

  159.   sans = {"*."};
    160. 

  160.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    161. 

  161.       sans.data(), sans.size(), {ExactMatcher("abc")}));
    162. 

  162.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    163. 

  163.       sans.data(), sans.size(), {ExactMatcher("abc.com.")}));
    164. 

  164.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    165. 

  165.       sans.data(), sans.size(), {ExactMatcher("bar.baz.com")}));
    166. 

  166. }
    167. 

  167. 

  168. TEST(XdsSanMatchingTest, ExactMatchAsteriskOnlyPermittedInLeftMostDomainName) {
    169. 

  169.   std::vector<const char*> sans = {"*.example.*.com"};
    170. 

  170.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    171. 

  171.       sans.data(), sans.size(), {ExactMatcher("abc.example.xyz.com")}));
    172. 

  172.   sans = {"*.exam*ple.com"};
    173. 

  173.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    174. 

  174.       sans.data(), sans.size(), {ExactMatcher("abc.example.com")}));
    175. 

  175. }
    176. 

  176. 

  177. TEST(XdsSanMatchingTest,
    178. 

  178.      ExactMatchAsteriskMustBeOnlyCharacterInLeftMostDomainName) {
    179. 

  179.   std::vector<const char*> sans = {"*c.example.com"};
    180. 

  180.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    181. 

  181.       sans.data(), sans.size(), {ExactMatcher("abc.example.com")}));
    182. 

  182. }
    183. 

  183. 

  184. TEST(XdsSanMatchingTest,
    185. 

  185.      ExactMatchAsteriskMatchingAcrossDomainLabelsNotPermitted) {
    186. 

  186.   std::vector<const char*> sans = {"*.com"};
    187. 

  187.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    188. 

  188.       sans.data(), sans.size(), {ExactMatcher("abc.example.com")}));
    189. 

  189.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    190. 

  190.       sans.data(), sans.size(), {ExactMatcher("foo.bar.baz.com")}));
    191. 

  191.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    192. 

  192.       sans.data(), sans.size(), {ExactMatcher("abc.com")}));
    193. 

  193. }
    194. 

  194. 

  195. TEST(XdsSanMatchingTest, PrefixMatch) {
    196. 

  196.   std::vector<const char*> sans = {"abc.com"};
    197. 

  197.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(sans.data(), sans.size(),
    198. 

  198.                                                        {PrefixMatcher("abc")}));
    199. 

  199.   sans = {"AbC.CoM"};
    200. 

  200.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    201. 

  201.       sans.data(), sans.size(), {PrefixMatcher("abc")}));
    202. 

  202.   sans = {"xyz.com"};
    203. 

  203.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    204. 

  204.       sans.data(), sans.size(), {PrefixMatcher("abc")}));
    205. 

  205. }
    206. 

  206. 

  207. TEST(XdsSanMatchingTest, PrefixMatchIgnoreCase) {
    208. 

  208.   std::vector<const char*> sans = {"aBc.cOm"};
    209. 

  209.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    210. 

  210.       sans.data(), sans.size(),
    211. 

  211.       {PrefixMatcher("AbC", false /* case_sensitive */)}));
    212. 

  212.   sans = {"abc.com"};
    213. 

  213.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    214. 

  214.       sans.data(), sans.size(),
    215. 

  215.       {PrefixMatcher("AbC", false /* case_sensitive */)}));
    216. 

  216.   sans = {"xyz.com"};
    217. 

  217.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    218. 

  218.       sans.data(), sans.size(),
    219. 

  219.       {PrefixMatcher("AbC", false /* case_sensitive */)}));
    220. 

  220. }
    221. 

  221. 

  222. TEST(XdsSanMatchingTest, SuffixMatch) {
    223. 

  223.   std::vector<const char*> sans = {"abc.com"};
    224. 

  224.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    225. 

  225.       sans.data(), sans.size(), {SuffixMatcher(".com")}));
    226. 

  226.   sans = {"AbC.CoM"};
    227. 

  227.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    228. 

  228.       sans.data(), sans.size(), {SuffixMatcher(".com")}));
    229. 

  229.   sans = {"abc.xyz"};
    230. 

  230.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    231. 

  231.       sans.data(), sans.size(), {SuffixMatcher(".com")}));
    232. 

  232. }
    233. 

  233. 

  234. TEST(XdsSanMatchingTest, SuffixMatchIgnoreCase) {
    235. 

  235.   std::vector<const char*> sans = {"abc.com"};
    236. 

  236.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    237. 

  237.       sans.data(), sans.size(),
    238. 

  238.       {SuffixMatcher(".CoM", false /* case_sensitive */)}));
    239. 

  239.   sans = {"AbC.cOm"};
    240. 

  240.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    241. 

  241.       sans.data(), sans.size(),
    242. 

  242.       {SuffixMatcher(".CoM", false /* case_sensitive */)}));
    243. 

  243.   sans = {"abc.xyz"};
    244. 

  244.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    245. 

  245.       sans.data(), sans.size(),
    246. 

  246.       {SuffixMatcher(".CoM", false /* case_sensitive */)}));
    247. 

  247. }
    248. 

  248. 

  249. TEST(XdsSanMatchingTest, ContainsMatch) {
    250. 

  250.   std::vector<const char*> sans = {"abc.com"};
    251. 

  251.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    252. 

  252.       sans.data(), sans.size(), {ContainsMatcher("abc")}));
    253. 

  253.   sans = {"xyz.abc.com"};
    254. 

  254.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    255. 

  255.       sans.data(), sans.size(), {ContainsMatcher("abc")}));
    256. 

  256.   sans = {"foo.AbC.com"};
    257. 

  257.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    258. 

  258.       sans.data(), sans.size(), {ContainsMatcher("abc")}));
    259. 

  259. }
    260. 

  260. 

  261. TEST(XdsSanMatchingTest, ContainsMatchIgnoresCase) {
    262. 

  262.   std::vector<const char*> sans = {"abc.com"};
    263. 

  263.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    264. 

  264.       sans.data(), sans.size(),
    265. 

  265.       {ContainsMatcher("AbC", false /* case_sensitive */)}));
    266. 

  266.   sans = {"xyz.abc.com"};
    267. 

  267.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    268. 

  268.       sans.data(), sans.size(),
    269. 

  269.       {ContainsMatcher("AbC", false /* case_sensitive */)}));
    270. 

  270.   sans = {"foo.aBc.com"};
    271. 

  271.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    272. 

  272.       sans.data(), sans.size(),
    273. 

  273.       {ContainsMatcher("AbC", false /* case_sensitive */)}));
    274. 

  274.   sans = {"foo.Ab.com"};
    275. 

  275.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    276. 

  276.       sans.data(), sans.size(),
    277. 

  277.       {ContainsMatcher("AbC", false /* case_sensitive */)}));
    278. 

  278. }
    279. 

  279. 

  280. TEST(XdsSanMatchingTest, RegexMatch) {
    281. 

  281.   std::vector<const char*> sans = {"abc.example.com"};
    282. 

  282.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    283. 

  283.       sans.data(), sans.size(), {SafeRegexMatcher("(abc|xyz).example.com")}));
    284. 

  284.   sans = {"xyz.example.com"};
    285. 

  285.   EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
    286. 

  286.       sans.data(), sans.size(), {SafeRegexMatcher("(abc|xyz).example.com")}));
    287. 

  287.   sans = {"foo.example.com"};
    288. 

  288.   EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
    289. 

  289.       sans.data(), sans.size(), {SafeRegexMatcher("(abc|xyz).example.com")}));
    290. 

  290. }
    291. 

  291. 

  292. }  // namespace
    293. 

  293. 

  294. }  // namespace testing
    295. 

  295. }  // namespace grpc_core
    296. 

  296. 

  297. int main(int argc, char** argv) {
    298. 

  298.   ::testing::InitGoogleTest(&argc, argv);
    299. 

  299.   grpc::testing::TestEnvironment env(argc, argv);
    300. 

  300.   grpc_init();
    301. 

  301.   auto result = RUN_ALL_TESTS();
    302. 

  302.   grpc_shutdown();
    303. 

  303.   return result;
    304. 

  304. }
    305.